operator-lifecycle-manager icon indicating copy to clipboard operation
operator-lifecycle-manager copied to clipboard
verified publisher icon operator-framework

[WIP] PSA Updates

Open perdasilva opened this issue 3 years ago • 3 comments

Description of the change: This PR updates the namespace and operator deployment resources and the catalog source and bundle unpacker job to enforce the PSA restricted profile.

NOTE These changes will break sqlite-based catalog sources due to a bug in opm fix, in which a copy of the database was made on the root of the filesystem.

Motivation for the change: Upstream k8s is rolling out the new Pod Security Admission (PSA) mechanism to improve cluster security and substitute the Pod Security Policies feature link.

Architectural changes: None

Testing remarks: Manually tested on kind with k8s 1.24

Reviewer Checklist

  • [ ] Implementation matches the proposed design, or proposal is updated to match implementation
  • [ ] Sufficient unit test coverage
  • [ ] Sufficient end-to-end test coverage
  • [ ] Bug fixes are accompanied by regression test(s)
  • [ ] e2e tests and flake fixes are accompanied evidence of flake testing, e.g. executing the test 100(0) times
  • [ ] tech debt/todo is accompanied by issue link(s) in comments in the surrounding code
  • [ ] Tests are comprehensible, e.g. Ginkgo DSL is being used appropriately
  • [ ] Docs updated or added to /doc
  • [ ] Commit messages sensible and descriptive
  • [ ] Tests marked as [FLAKE] are truly flaky and have an issue
  • [ ] Code is properly formatted

perdasilva avatar Jul 04 '22 12:07 perdasilva

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: perdasilva

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci[bot] avatar Jul 04 '22 12:07 openshift-ci[bot]

/hold until we figure out how to migrate. These changes are only valid from k8s >= 1.19. Should we cut a release before merging and only support 1.19 going forward?

perdasilva avatar Jul 05 '22 08:07 perdasilva

@perdasilva: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-ci[bot] avatar Jul 11 '22 22:07 openshift-ci[bot]

/close

as this is out of date.

anik120 avatar Aug 23 '22 18:08 anik120

@anik120: Closed this PR.

In response to this:

/close

as this is out of date.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-ci[bot] avatar Aug 23 '22 18:08 openshift-ci[bot]